12 Replies

I can't find the command anywhere. I know the PSPKI say's it's available as part of the RSAT cmdlet's but I don't believe it is. In fact, the only reference outside of PSPKI's own documentation was this bit of code on Poshcode:

I don't have 802.1x available to test this. But if you goto start, search for mmc, click file then add/remove snap-in. On the left click certificate manager and then click add, then ok. I would think it would be a user certificate. And then open the first folder of user cert and personal. Is it listed there?

Sorry this is all from memory and I'm typing on my phone. Hope you get the gist.

If its there I have a script that will work. I do the same thing for 105 servers and computer certificates.

thanks for your reply. Will try this in the next minutes and get back to post if anything will be better.

Morning ChameleOn,

you're alright with your information.Only one thing 802.1x is computer based (so the certificate is not in the personal store, it's under the computer-store.

Could you send me your script or post it? Maybe I can adapt it for my need.

The thing is, I need to make it possible to get a mail if any of this certificates would expire in 21 or less days (auto renewal after 30 days is active, but some clients are on notebooks and tablets, which will not be connected for some month and so we have to inform them to come to office for certificate renewal.

thanks for your reply. Will try this in the next minutes and get back to post if anything will be better.

Morning ChameleOn,

you're alright with your information.Only one thing 802.1x is computer based (so the certificate is not in the personal store, it's under the computer-store.

Could you send me your script or post it? Maybe I can adapt it for my need.

The thing is, I need to make it possible to get a mail if any of this certificates would expire in 21 or less days (auto renewal after 30 days is active, but some clients are on notebooks and tablets, which will not be connected for some month and so we have to inform them to come to office for certificate renewal.

Thx yours Rainhard

That's all good, that's what I wanted to make sure, was where the cert was stored. If it it's the computer store, that's great because my script is already doing that. Give me a few minutes to scrounge it up.

Okay here we go. It is simply a Get-ChildItem on Certs:\ and then a matter of drilling down from there, I have created an HTML report for it as well. You may need to add a filter/where-object to the Get-ChildItem to filter out the other certificates.

I have the script using a Server.txt to define what servers/computer to grab certs from, but you can edit this easily to get a list of computers from AD or something else. One thing assumed, is that C:\Logs exists, because that's where the HTML output gets put.

thanks so far, your script is great for queriing some servers/clients, but not ALL of an domain.I never know all client/server names so a static txt-list is not the right way. Need to get all certificate data from all clients/servers etc. on domain.Even from non connected Clients (Notebooks/Tablets).I think the right way is to query the PKI for the expiration dates, because the notebooks/tablets are not in the network the most time (only 3-5 times a year) and so the certificate would expire without automatic renewal and without any notice.

That is true. My method quiries the individual computer and grabs the cert and expression date from the mmc. So it would have to be online and in the network.

I currently do not have a way to query the PKI server. Sorry.

You could setup a task schedule script in the computers that are not connected to the corporate network, to once a month chech it's own expiration date and then email you the results. But that could be a lot of individual emails if you have a lot off the network.

Martin9700 to get all Computers is not the problem. To get ALL client-certificates from PKI (even from the computers that are not connected to the network on "scantime") is the thing that get me gray hair.